Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
b
bright-whale-83501
09/19/2022, 6:04 PMcross post frrom #rke But here it goes:
I'm installing RKE2 agent on a windows worker. Should I just use the URL given from ranchers custom cluster -> registration. Or should I follow instructions from https://docs.rke2.io/install/windows_airgap/ (I cant find any other installation documentation for the agent)
c
creamy-pencil-82913
09/19/2022, 6:07 PMWhen you say the custom cluster registration URL, you mean the one that lets you download the Rancher installation manifest for application to the downstream cluster?
RKE2 agents should be pointed at an RKE2 server, not at Rancher.
b
bright-whale-83501
09/19/2022, 6:13 PMI mean cluster management -> clusters -> registration. Step 2, I copy the url with curl.exe and paste it into my windows worker.
wins-agent-install.ps1
c
creamy-pencil-82913
09/19/2022, 6:27 PMyes, that should work, if you’re using Rancher for provisioning
the RKE2 docs don’t cover Rancher provisioning. They only cover standalone RKE2 clusters. Rancher docs in Rancher docs, RKE2 docs in RKE2 docs.
b
bright-whale-83501
09/19/2022, 6:29 PMI do. But I've had a horrible time getting things to work. Biggest problem is our self signed CA, I pass --insecure to rancher but it does not matterr. So I swapped out curl.exe in windows with 2 releases newer, and that version accept our ca, if I rebuild the cerrtificate-bundle in windows.
But the installation process ends up in a loop right after calico cni have been brought alive. kubelet.exe are extracted again, and cant be replaced on the disk, since kubelet.exe are already executing in windows.
If I manually kill that process and delete kubelet.exe, the installer continues. But ends up in a loop
Looking at the logs in windows I think this is the main error, but I dont know how/where to poke to solve it:
"Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation"
Amazing. I think I solved the last hurdle. I added --insecure into the part that downloads kubeconfig from rancher.
it's very strange. Even thou I run my own curl.exe, that have curl-ca-bundle.crt in the same folder it did not accept our CA. All previous curl.exe calls, utilize curl-ca-bundle.crt, For the record, its function Get-RancherConnectionInfo that I needed to add --insecure into
c
creamy-pencil-82913
09/19/2022, 7:08 PMah yeah, there may be issues with proxies and custom CAs on Windows. I know that the golang crypto libs don’t make it easy to interact with the Windows certificate store.
b
bright-whale-83501
09/19/2022, 7:28 PMits curl.exe that (this time) didnt play with the certstore, at all
most google hits, gladly tell you to just add -k or --insecure. But I wanted to pass my ca cert. Almost worked